First Code of Conduct approved by the Data Protection Authority
The Italian Data Protection Authority approved, by measure no. 127 of 12 June 2019, the first post-GDPR Code of Conduct, specifically put forward by the National Association of Business and Credit Management Enterprises (in Italian “Associazione nazionale tra le imprese di informazioni commerciali e di gestione del credito” – ANCIC), concerning the processing of personal data in the field of business information, i.e. information relating to the assets, economic, financial, credit, entrepreneurial, industrial, organizational and productive, business and professional aspects of a natural person (with the exception, however, of that processing carried out in the context of credit information systems).
The new Code of Conduct will replace the current Deontological Code, which, however, will continue to be in force until 19th September 2019, in order to keep on supporting companies in the gradual process of compliance.
Despite the official and definitive approval of the text, the effectiveness of the code itself is made dependent on the establishment of the corresponding Monitoring Body, as required by art. 41 GDPR. In fact, the assessment of conformity and the monitoring of compliance with a Code must be conducted by an accredited Body.
The main new features of the Code concern:
- greater protection for the persons surveyed (relating, for example, to the drafting of the policy to the data subject, the limits on the usability of the data as per art. 9-10 GDPR and the obligation to notify the Authority and the data subject in the event of a data breach);
- the data protection impact assessment also required in the context of data from public sources;
- alignment to European best practices and to uniform criteria by the European Data Protection Board;
- the reference to the risk-based approach (distinctive and innovative feature of the GDPR);
- the adoption of technical, IT, procedural, physical and organizational measures (including pseudonymization, disaster recovery, business continuity), identifiable in the concept of privacy by design and aimed at preventing and minimizing a data breach.
The players involved in commercial information activities are committed to respecting the rights, fundamental freedoms and dignity of the data subjects, in particularly the right to the protection of personal data, the right to privacy and the right to personal identity.
Art. 6 of the Code deserves attention: the processing for purposes of commercial information carried out by companies that adhere to the Code makes, in this case, the consent of the data subject unnecessary, since the processing is necessary for the pursuit of the legitimate interests of the Data Controller, the public interest in the reliability of commercial transactions and the proper functioning of the market, provided that the processing is strictly carried out in accordance with the provisions of the Code and in particular art. 4 “Sources of origin and methods of processing of commercial information”.
Furthermore, the methods of processing of personal data are determined to protect the rights of the data subjects in order to guarantee both certainty and transparency in commercial relations, adequate knowledge and circulation of commercial and economic information and the quality, relevance, accuracy and updating of the data (with regard, for example, to the period of data retention, the designation of a DPO in certain cases, the criteria of honorability, autonomy, independence and professionalism of the members of the OdM, as well as the establishment of a specific complaint procedure managed by the OdM itself)
The goal of the Code of Conduct is to specify the extent to which the provisions of the Regulation are addressed to the specific sector of commercial information activities, in order to allow the actors involved in this field, as Data Controllers, to use the adherence to this Code as an element to demonstrate compliance with the relevant obligations, as set forth in art. 24, paragraph 3, of the GDPR. However, adherence to the Code does not imply automatic and full compliance with the GDPR nor does it constitute immunity for the Controllers: such adherence will, however, express an element of proof of the guarantees of data protection adopted.